After a Cyber Attack: Dos and Don'ts for Higher Education IT Staff
For most colleges and universities, it's a question of when, not if, they will experience a cyber attack. Here are seven key considerations for handling the aftermath of a breach.
- By Charlie Sander
- 05/10/23
There is a treasure trove of sensitive and valuable information in higher education information systems that is tantalizing to hackers of all kinds. With networks that store the financial details of every student, faculty, staff member, alumni, research partner, and more such as names, addresses, social security numbers, passports, and healthcare data, colleges and universities are attractive targets. In fact, it is thought that an individual's educational records are worth around $265 on the black market.
Higher education in particular has a more "open access" culture and infrastructure than other organizations of similar size and complexity. Academic institutes employ various devices for recruiting, teaching, research, data storage, and other activities. Students, too, bring their own mobile devices to school for research and note-taking.
This substantially increases the vulnerability of the institution to attack. Unfortunately, despite their knowledge of how to use devices, students are often uninformed of the importance of cybersecurity. Many of their personal devices lack the proper security protocols, and if they connect to their school's WiFi, it can make it easier for hackers to breach the institution's network without the proper configurations and monitoring.
According to IBM Security's Cost of a Data Breach Report, the average cost of a data breach in the education industry increased from $3.79 million in 2020 to $3.86 million in 2022. Further, education remains one of the top 10 industries with the highest average total cost. And according to a recent Sophos report, 40% of victims in the higher education sector took more than a month to fully recover from a cyberattack in 2021. This is in stark contrast to the 10% of manufacturing and production companies that took an extended period of time to recover from a similar attack.
The sad truth is that for most schools, it is a question of when, not if, they will experience a cyber attack. So let's dive into the do's and don'ts for IT staff once an attack occurs.
After a Cyber Attack, Do:
Act as swiftly as possible to contain the attack. The quicker you can quarantine the issue, the better it will be for recovery. Cyber attacks on schools, particularly those that cause significant disruption, often make headlines and come under a great deal of scrutiny from parents, faculty, and the general public. It is important to have an efficient and timely response and recovery plan in place to minimize the damage of a breach before it becomes too severe.
Consider if you need to bring in outside resources to help. Ensure that there are no new indications of a breach and that security flaws have been remedied to stop malicious actors from regaining access to systems and networks. Educational institutions should then get in touch with their incident response firm, cyber insurance provider, and law enforcement before attempting to remove the threat.
Unfortunately, your current team may or may not be equipped to handle the problem on their own. Whether it's an issue of expertise, time constraints, or both, institutions of all types and sizes should have a service provider they can call to help with containment and recovery as part of their incident response plan.
Analyze what happened to improve security practices and incident response. There's a saying in cybersecurity that the cybersecurity team has to get it 100% right, but the criminal only needs to get it right once. Schools need to accept that there is no shame in being a victim of a cyber attack — the most important thing is analyzing what happened, what went right, and what went wrong, so the same mistakes can be avoided and schools can strive for continual improvement.
After the drama and stress of an attack and recovery, many teams skip this step altogether. Make sure your team takes the time to review after the dust settles and puts a plan in place to improve. And, make sure you do this before so much time has passed that the details are fuzzy.
After a Cyber Attack, Don't:
Try to cover it up. At times, you may need to collect all the information needed and coordinate with pertinent authorities to figure out what should be shared and what should remain confidential. Your stakeholders might not be able to obtain every detail they desire at a particular moment; however, it is not advisable to attempt to keep the facts hidden. This could hurt your reputation, deny you access to available resources, and cause other schools to remain unaware of the matter, potentially making them vulnerable to the same issue.
Distract your recovery team from their work. Although understandable in the circumstances, it is often best for those in leadership roles to refrain from getting overly involved. Trying to control the situation can be disruptive and impede the professionals from completing their tasks. Therefore, it is best to step back and let the experts do their work.
Expect recovery to be fast. The recovery process for an attack will depend on its type, scale, and scope. The team working on the recovery will assess which systems have been impacted and prioritize them based on factors such as their importance to school operations, the extent of their impact, and how quickly they can be brought back online.
Although it may appear that less essential systems have been brought back first, this may be the case if they were deemed to be non-compromised and the recovery process for more complex issues was still in progress. Recovery will not be a linear process, and new issues may need to be addressed along the way.
Think that this will never happen again. Organizations are often attacked multiple times, with the same group attempting to exploit the same vulnerability. This is why assessing the incident and strengthening cybersecurity practices and incident response is essential. Closing any existing cybersecurity gaps is also necessary to secure your systems and data. Basic techniques such as multifactor authentication, least privileged access, monitoring, and automation can help protect your systems and make responding to any breaches faster.
In order for higher education to remain resilient in the long term, it is vital to establish a mindset that ties cybersecurity to quality of education. This way, schools can always be aware of their risk profile and adjust their prevention and mitigation strategies accordingly. Digital transformation and cyber threats will be an ongoing reality for colleges and universities moving forward.